Security researchers have identified 197 malicious packages uploaded to the npm registry as part of a campaign linked to North Korean threat actors known as Contagious Interview. Socket reported the packages have been downloaded more than 31,000 times and are intended to deliver a variant of the OtterCookie loader that incorporates capabilities from prior BeaverTail tooling.
Analysis shows the malicious installers attempt to evade sandboxes and virtual machines, profile infected hosts and then establish a command-and-control channel to provide a remote shell. The payloads have been observed with functions to capture clipboard contents, log keystrokes, take screenshots and harvest browser-stored credentials, documents and cryptocurrency wallet data, including seed phrases.
Researchers provided examples of identified loader packages, which include names such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms and webpack-loadcss, among others used to reach downstream targets.
Further investigation determined the packages connect to a hard-coded Vercel URL, tetrismic.vercel[.]app, which then fetches the cross-platform OtterCookie payload from a threat actor-controlled GitHub repository. The GitHub account used for delivery, stardev0914, is no longer accessible. Security researcher Kirill Boychenko described the sustained tempo of uploads as evidence the actors have adapted tooling to modern JavaScript and crypto-centric workflows.
Separately, the campaign has used fake assessment websites and ClickFix-style instructions to lure targets into running malicious binaries. That approach has been linked to delivery of a Go-based backdoor known as GolangGhost (also tracked as FlexibleFerret or WeaselStore); Jamf has documented use of such recruitment lures and delivery techniques leveraged by the operators. The Go malware contacts a hard-coded C2, enters a persistent command loop to collect system information, upload and download files, run commands and harvest Chrome data, and in some cases achieves persistence via a macOS LaunchAgent and employs decoy prompts to capture credentials sent to cloud accounts.
Researchers and analysts distinguish this activity from other DPRK schemes that embed actors within legitimate businesses, noting Contagious Interview is focused on staged recruiting pipelines, malicious coding exercises and fraudulent hiring platforms rather than long-term placement. Reporting and analysis from third parties examining related tactics include material from embedding actors research and commentary from industry observers who have said the operation weaponizes the job application process.